Update SELinux policy to allow UDP for multicast repl in galera.mariadb-galera-5.5.44

2 files changed, 30 insertions, 20 deletions

diff --git a/policy/selinux/README b/policy/selinux/README
index a8c11c71a0b..3f695dc27a3 100644
--- a/policy/selinux/README
+++ b/policy/selinux/README
@@ -1,18 +1,20 @@
 Note: The included SELinux policy files can be used for MariaDB Galera cluster.
 However, since these policies had been tested for a limited set of scenarios,
-it is highly recommended to run SELinux in "permissive" mode even with these
-policies installed and report any denials on mariadb.org/jira.
+it is highly recommended that you run mysqld in "permissive" mode even with
+these policies installed and report any denials on mariadb.org/jira.
 
 
 How to generate and load the policy module of MariaDB Galera cluster ?
+  * Generate the SELinux policy module.
+    # cd <source>/policy/selinux/
+    # make -f /usr/share/selinux/devel/Makefile mariadb-server.pp
 
-* Generate the SELinux policy module.
-  # cd <source>/policy/selinux/
-  # make -f /usr/share/selinux/devel/Makefile mariadb-server.pp
+  * Load the generated policy module.
+    # semodule -i /path/to/mariadb-server.pp
 
-* Load the generated policy module.
-  # semodule -i /path/to/mariadb-server.pp
-
-* Lastly, run the following command to allow 4568.
-  # semanage port -a -t mysqld_port_t -p tcp 4568
+  * Lastly, run the following command to allow tcp/4568 and udp/4567.
+    # semanage port -a -t mysqld_port_t -p tcp 4568
+    # semanage port -a -t mysqld_port_t -p udp 4567
 
+How to run mysqld in permissve mode ?
+  # semanage permissive -a mysqld_t
diff --git a/policy/selinux/mariadb-server.te b/policy/selinux/mariadb-server.te
index 9c0319c83f5..34d79326b10 100644
--- a/policy/selinux/mariadb-server.te
+++ b/policy/selinux/mariadb-server.te
@@ -4,25 +4,25 @@
 module mariadb-server 1.0;
 
 require {
-        type user_tmp_t;
-	type kerberos_port_t;
+	type user_tmp_t;
+	#type kerberos_master_port_t;
 	type mysqld_safe_t;
-        type tmp_t;
-        type tmpfs_t;
-        type hostname_exec_t;
+	type tmp_t;
+	type tmpfs_t;
+	type hostname_exec_t;
 	type ifconfig_exec_t;
 	type sysctl_net_t;
 	type proc_net_t;
 	type port_t;
 	type mysqld_t;
 	type var_lib_t;
-        type rsync_exec_t;
+	type rsync_exec_t;
 	type bin_t;
 	type shell_exec_t;
 	type anon_inodefs_t;
 	type fixed_disk_device_t;
 	class lnk_file read;
-        class process { getattr signull };
+	class process { getattr signull };
 	class unix_stream_socket connectto;
 	class capability { sys_resource sys_nice };
 	class tcp_socket { name_bind name_connect };
@@ -32,7 +32,10 @@ require {
 	class dir { write search getattr add_name read remove_name open };
 
 # MariaDB additions
+	type kerberos_port_t;
 	type tram_port_t;
+	type mysqld_port_t;
+	class udp_socket name_bind;
 	class process setpgid;
 	class netlink_tcpdiag_socket { create nlmsg_read };
 }
@@ -56,8 +59,8 @@ allow mysqld_t tmpfs_t:file { write getattr read create unlink open };
 allow mysqld_t fixed_disk_device_t:blk_file { read write open };
 allow mysqld_t ifconfig_exec_t:file { read execute open execute_no_trans getattr };
 
-#This rule allows connecting on 4444
-allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
+#This rule allows connecting on 4444/4567/4568
+#allow mysqld_t kerberos_master_port_t:tcp_socket { name_bind name_connect };
 
 allow mysqld_t mysqld_safe_t:dir { getattr search };
 allow mysqld_t mysqld_safe_t:file { read open };
@@ -82,8 +85,13 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };
 
 # MariaDB additions
 allow mysqld_t self:process setpgid;
-# This rule allows port 4567
+# This rule allows port tcp/4444
+allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
+# This rule allows port tcp/4567 (tram_port_t may not be available on
+# older versions)
 allow mysqld_t tram_port_t:tcp_socket name_bind;
+# This rule allows port udp/4567 (see README)
+allow mysqld_t mysqld_port_t:udp_socket name_bind;
 
 # Rules related to XtraBackup
 allow mysqld_t self:netlink_tcpdiag_socket { create nlmsg_read };